Mat Ford - ISOC
-
Upload
ipv6-summit-2010 -
Category
Documents
-
view
792 -
download
1
description
Transcript of Mat Ford - ISOC
Large-scale address sharing issues
‘There must be some way out of here,’ said the joker to the thief. Bob Dylan
Mat Ford
Irish IPv6 Summit 2010, Dublin
1
@@
Address sharing
2010-05-19 Irish IPv6 Summit 2010 2
@
ISP
Internet
Large-scale address sharing
2010-05-19 Irish IPv6 Summit 2010 3
ISP
Internet
@
Address Sharing• Current practice: give a unique IPv4 public
address to each subscriber– this address can be shared into the residential/office
LAN through a NAPT device (in the CPE)
• With IPv4 free-pool allocation completion this is no longer possible for new subscribers– Scalability of RFC1918 space also creating problems
• A possible solution: allocate the same IPv4 public address to several subscribers at the same time– this is what we call large-scale address sharing
2010-05-19 4Irish IPv6 Summit 2010
Port multiplexing
• Q: How is it possible to differentiate between multiple subscribers all sharing a single address?
• A: Use the transport layer port field to multiplex
2010-05-19 Irish IPv6 Summit 2010 5
Background
• Long-tail of subscribers requiring >median number of ports
Source: http://www.wand.net.nz/~salcock/someisp/flow_counting/result_page.html
2010-05-19 6Irish IPv6 Summit 2010
30 ports
2010-05-19 Irish IPv6 Summit 2010 7
Slide credit: Shin Miyakawa
20 ports
2010-05-19 Irish IPv6 Summit 2010 8
Slide credit: Shin Miyakawa
15 ports
2010-05-19 Irish IPv6 Summit 2010 9
Slide credit: Shin Miyakawa
5 ports
2010-05-19 Irish IPv6 Summit 2010 10
Slide credit: Shin Miyakawa
It’s your problem now• Introduction of large-scale address sharing creates
potentially serious issues for third parties:– Some applications will fail to operate– Reverse DNS will be affected– Inbound ICMP will fail in many cases– Amplification of security issues– Service usage monitoring and abuse logging will be impacted– Penalty boxes will no longer work– Spam blacklisting will be affected– Geo-location and geo-proximity mechanisms will be impacted– Load balancing algorithms may be impacted– Authentication mechanisms may be impacted– Traceability of network usage and abusage will be affected
2010-05-19 11Irish IPv6 Summit 2010
Impact on applications
• Breaks applications that– Establish inbound communications
– Carry address and/or port information in their payload
– Use fixed ports
– Do not use any port (ICMP)
– Assume uniqueness of source address
– Explicitly prohibit concurrent connections from identical addresses
2010-05-19 12Irish IPv6 Summit 2010
ICMP
• ICMP is problematic for address sharing mechanisms as it does not carry any port information
• Responses to outbound ICMP can be handled relatively easily
• Inbound ICMP sourced off-net will not be routable• ICMP attacks
– Malicious user could send Packet Too Big reducing the MTU down to 68 octets
– Value will be cached by server for all subscribers sharing the IP of the malicious user
– Could lead to a DoS condition for the server and the NAT
2010-05-19 13Irish IPv6 Summit 2010
Geo-proximity, geo-location
• Conforming with regional content licensing restrictions
• Targeting advertising• Customising content• Emergency services• Shared addressing may reduce level of
confidence and location granularity• Application performance may be affected
in the presence of highly centralised CGN
2010-05-19 14Irish IPv6 Summit 2010
Tracking service usage
• Monitoring unique users of a service no longer possible by simply counting connections from discrete IP addresses
• CPE NAT complicates this today, large-scale address sharing will make it a more widespread and severe issue
• In general, all elements that monitor usage or abusage in the chain between a service provider that has deployed address sharing and a content provider will need to be upgraded to take account of the port value in addition to IP addresses
2010-05-19 15Irish IPv6 Summit 2010
Traceability• Address sharing solutions must record and store all
mappings they create– Potentially very large volume of data– Pre-allocating groups of ports mitigates– Trade-offs between
• size of pre-allocated groups• ratio of public addresses to subscribers• Impact on logging requirements• Port randomisation security
• Need for timestamping and accurate timekeeping– Densely populated CGN could mean even small amounts
of clock skew result in misidentification of subscribers– Alternatively SPs start logging destinations, giving rise to
privacy concerns,
2010-05-19 16Irish IPv6 Summit 2010
Security-related issues
• Port randomisation• Abuse logging, penalty boxes– Need to log source port as well as
source address
• Spam• IPsec• Authentication
2010-05-19 17Irish IPv6 Summit 2010
Load balancing
• Deterministic algorithms based on IP addresses may see sudden imbalances in load as address sharing is enabled
• Growth of address sharing will require re-evaluation of load balancing algorithm designs
2010-05-19 18Irish IPv6 Summit 2010
Other issues
• Fragmentation• Multicast• Mobile-IP• Single Point of Failure• Reverse DNS– Reverse DNS strings no longer sufficient
to identify a discrete subscriber
2010-05-19 19Irish IPv6 Summit 2010
Conclusions
• Large-scale address sharing will make many existing address sharing issues more severe and more widespread
• Large-scale address sharing will also create new technical and business issues
• Third-parties, content providers, LEAs, will be impacted
• IPv6 is the only way to avoid this
2010-05-19 20Irish IPv6 Summit 2010